SUPEE-5994

SUPEE-5994 is a bundle of eight patches that resolve several security-related issues.

You can find more details on the vulnerabilties address by this patch below:

Admin Path Disclosure - APPSEC-977

Type:

Information Leakage (Internal)

CVSSv3 Severity:

5.3 (Medium)

Known Attacks:

None

Description:

An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.

Product(s) Affected:

Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1

Fixed In:

CE 1.9.2.0, EE 1.14.2.1

Reporter:

Peter O'Callaghan

Customer Address Leak through Checkout - APPSEC-945

Type:

Information Disclosure / Leakage (Confidential or Restricted)

CVSSv3 Severity:

5.3 (Medium)

Known Attacks:

None

Description:

Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.

During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.

This attack can be fully automated, and a functional proof of concept exists.

The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.

This attack can be fully automated, and a manual proof of concept exists.

This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.

Product(s) Affected:

Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1

Fixed In:

CE 1.9.2.0, EE 1.14.2.1

Reporter:

Robert Foggia / Trustwave

Spreadsheet Formula Injection - APPSEC-978

Type:

Formula Injection

CVSSv3 Severity:

6.1 (Medium)

Known Attacks:

None

Description:

Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.

Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.

Product(s) Affected:

Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1

Fixed In:

CE 1.9.2.0, EE 1.14.2.1

Reporter:

Matthew Barry

Malicious Package Can Overwrite System Files - APPSEC-535

Type:

Abuse of Functionality

CVSSv3 Severity:

3.1 (Low)

Known Attacks:

None

Description:

Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.

Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled "Security Patches – May 2015."

Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – May 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.

Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-5994). Merchants can also upgrade today to to the latest version of the Community Edition and receive the security fixes as part of the core code.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.